Security
Headlines
HeadlinesLatestCVEs

Tag

#git

10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux

Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests

The Hacker News
Open in Source
#web#mac#windows#google#linux#cisco#nodejs#js#git#java#intel#auth#ssh#The Hacker News
Aisuru Botnet Shifts from DDoS to Residential Proxies

Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts says a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.

GHSA-7f5h-v6xp-fcq8: Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., `StaticFiles` or any use of `FileResponse`). ### Details Starlette parses multi-range requests in ``FileResponse._parse_range_header()``, then merges ranges using an O(n^2) algorithm. ```python # starlette/responses.py _RANGE_PATTERN = re.compile(r"(\d*)-(\d*)") # vulnerable to O(n^2) complexity ReDoS class FileResponse(Response): @staticmethod def _parse_range_header(http_range: str, file_size: int) -> list[tuple[int, int]]: ranges: list[tuple[int, int]] = [] try: units, range_ = http_range.split("=", 1) except ValueError: raise MalformedRangeHeader() # [...] ranges = [ ( int(_[0]) if _[0] else file_size - in...

GHSA-867c-p784-5q6g: PrivateBin is missing HTML sanitization of attached filename in file size hint

We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. Below are the technical details, PoC, reproduction steps, impact, and mitigation recommendations. **Recommend action:** As the vulnerability has been fixed in the latest version, users are **strongly encouraged** to upgrade PrivateBin to the latest version _and_ [check](https://privatebin.info/directory/check) that a strong CSP header, just as the default suggested one, is delivered. **Summary of the vulnerability:** The `attachment_name` field containing the attached file name is included in the object that the client encrypts and is eventually rendered in the DOM without proper escaping. ## Impact The vulnerability allows attackers to inject arbitrary HTML into the filename displayed near the file size hint, when attachments are enabled. This is by definition [a XSS vulnerability (CWE-80)](https://cwe.mitre.org/data/definitions/80...

About Remote Code Execution – Redis “RediShell” (CVE-2025-49844) vulnerability

About Remote Code Execution – Redis “RediShell” (CVE-2025-49844) vulnerability. Redis is a popular in-memory key–value database, used as a distributed cache and message broker, with optional durability. This vulnerability allows a remote authenticated attacker to execute arbitrary code via a specially crafted Lua script. The requirement for authentication does not reduce its severity, because authentication […]

GHSA-f5p4-p5q5-jv3h: Contrast has insecure LUKS2 persistent storage partitions may be opened and used

### Summary A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeless.systems/contrast/howto/encrypted-storage) feature. The guest will open the volume and write secret data using a volume key known to the attacker. LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume: - Opens (cryptsetup open) without error using any passphrase or token - Records all writes in plaintext (or ciphertext with an attacker-known key) ### Details Contrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the `cryptsetup` CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initia...

GHSA-qcpr-679q-rhm2: Astro's bypass of image proxy domain validation leads to SSRF and potential XSS

### Summary This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252). The fix blocks `http://`, `https://` and `//`, but can be bypassed using backslashes (`\`) - the endpoint still issues a server-side fetch. ### PoC [https://astro.build/_image?href=\\raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg](https://astro.build/_image?href=%5C%5Craw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg)

GHSA-q8j9-34qf-7vq7: Silver has unrestricted traffic between Wireguard clients

### Summary Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: 1. Leaked/recovered keypair (from a beacon) being used to attack operators. 2. Port forwardings usable from other implants. ### Details 1. Sliver treat operators' Wireguard config and beacon/session's Wireguard config equally, they both connect to the wireguard listener created from the CLI. 2. The current netstack implementation does not filter traffic between clients. I think this piece of code handle traffic between clients, from experimental results clients can ping and connect to each other freely, and I didn't see any filtering here either: ``` File: server\c2\wireguard.go 246: func socketWGWriteEnvelope(connection net.Conn, envelope *sliverpb.Envelope) error { 247: data, err := proto.Marshal(envelope) 248: if err != nil { 249: wgLog.Errorf("Envelope marshaling error: %v", err) 250: return err 251: } 252: dataLengthBuf := new(bytes.Buffer) 253: binary.W...

Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains

Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire. According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38,

CBP Searched a Record Number of Phones at the US Border Over the Past Year

The total number of US Customs and Border Protection device searches jumped by 17 percent over the 2024 fiscal year, but more invasive forensic searches remain relatively rare.